Note: This version is in draft and is currently being migrated from the Appointment Management specification.
Access
This API is user-restricted, meaning an end user must be present and authenticated to use it.
The end user must be:
- a patient
- authenticated with NHS login to P9 identity verification level
The API uses OpenID Connect to authenticate the end user and OAuth 2.0 to authorise the calling system. It supports the following security pattern using NHS login:
Gaining access
There are a number of measures in place to control access to the PFS APIs when they are accessed through APIM.
- The client application e.g. NHS App must be registered and assured with NHS login. This allows the client app to use NHS login for patient identity and acquire an ID Token during the login process
- The client application must be registered with the APIM platform
- The client application must be known to and assured by the GP system
- The patient must have a high level verification (P9) on their NHS login account
- The patient must be registered on the GP system they are associated to in PDS (accessed via PDS FHIR API)
Patients are identified in requests to the GP system through an NHS login ID token. Requests to the GP system made through APIM go through a process called Token exchange.